Processor Agreement for the Processing of Personal Data

Article 1

The purpose of this agreement is to define the conditions under which the processor undertakes to carry out, on behalf of the controller, the personal data processing operations defined below.  Pursuant to their contractual relations, the parties undertake to comply with the regulations in force applicable to personal data processing, and in particular Regulation (EU) 2016/679 referred to in the recitals of this agreement.

Article 2

The processor shall be authorized to process, on behalf of the controller, the personal data needed to provide the following services:  the use of Rooftop and data needed to provide support if requested.  

The purposes of the processing are based on the main contract between the processor and the controller. For the provision of the service which is the subject of this contract, the controller might provide the processor with additional information.

The processor shall be entrusted no assignment other than that which consists of storing and backing up the data.

Article 3

This agreement shall enter into force as of the signing of the contract and shall expire on the same date as the main contract referred to in the recitals.

Article 4

The processor undertakes to process the data for the sole purposes which constitute the object of the processor agreement, i.e. exclusively their storage and backup.The processor undertakes to process the data in accordance with the controller’s documented instructions. If the processor considers that an instruction constitutes a violation of the European general data protection regulation or any other provision of EU law or the law of the Member States relating to data protection, it shall inform the controller immediately. Furthermore, if the processor is required to proceed to a transfer of data to a third country or an international organization, by virtue of EU law or the law of the Member State under which it falls, it shall inform the controller of this legal obligation before processing, except if the law concerned prohibits such information for important reasons in the public interest.

Article 5

The processor undertakes to guarantee the confidentiality of personal data processed under this agreement.

It shall moreover ensure that the providers of services or members of its staff who intervene in the storage and backup of personal data under this agreement:

- are not entitled to process the data themselves;
- undertake contractually to observe confidentiality or are subjected to an appropriate legal obligation of confidentiality;
- are given the training needed on personal data protection and the importance of complying with privacy protection legislation;
‍
The confidentiality commitments undertaken by virtue of this agreement shall persist during the entire term thereof as well as for two years as of its expiry date.

The processor shall finally take into account the data protection principles concerning its tools, products, applications or services, as of the design and protection of data by default.

Article 6

The processor may call on another processor, hereinafter referred to as the “subsequent processor,” for specific processing activities. In such a case, it shall inform the controller in writing in advance of any planned change concerning the addition or replacement of other subsequent processors. This information must indicate clearly the sub-contracted processing activities, the identity and details of the subsequent processors, and the dates of the subsequent processor agreement. The controller shall have at least fifteen/thirty days as of the date this information is received to present its objections. This sub-contracting may be carried out only if the controller has raised no objections during the agreed period. The subsequent processor shall be required to comply with the obligations of this agreement on behalf and according to the instructions of the controller. The initial processor shall ensure that the subsequent processor provides the same sufficient guarantees concerning the implementation of appropriate technical and organizational measures, so to that the processing meets the requirements of the European general data protection regulation. If the subsequent processor fails to meet its data protection obligations, the initial processor shall remain fully liable to the controller for the fulfilment by the subsequent processor of its obligations.

Article 7

It shall be up to the controller to provide information to the data subjects concerned by the processing operations when data are collected. The processor shall insofar as possible help the controller fulfil its obligations to respond to requests by data subjects to exercise their right to access, correct, delete and oppose, limit the processing, the right to data portability, not to be subjected to automated individual decision, including profiling. When the data subjects file requests to exercise their right with the processor, the latter shall upon receipt forward them by e-mail to the contact indicated by the controller.

Article 8

The processor shall inform the controller by e-mail of any violation of personal data within twenty-four hour maximum of becoming cognizant thereof. Said notification shall be accompanied by any useful documentation to enable the controller to report this violation to the competent authority as and where necessary. It will then be up to the controller to notify the personal data violations detected to the competent authority and apprise the data subject accordingly as promptly as possible, unless the violation in question is likely to entail a risk for the rights and freedoms of said person. The reporting to the competent authority and notification of the data subject shall include all information required by the European general data protection regulation.

Article 9

The processor undertakes to take appropriate technical and organizational measures in view of the risks inherent to the processing and nature of personal data. He shall in particular take measures to:

- prevent unauthorized persons from accessing the IT systems that process personal data so that they cannot consult, reproduce, edit, delete or disseminate them;
- guarantee that the authorized users of data processing systems can access only personal data covered by their access rights;
- prevent personal data from being read, copied or deleted when transmitted or transported on storage media;
- guarantee the confidentiality, integrity and availability of processing services,
- restore the availability of personal data and access thereto within appropriate time limits in case of physical or technical incident;
- assess regularly the effectiveness of technical and organizational measures to ensure processing security.

Article 10

Under this agreement, the processor shall, according to the controller’s choice:

- destroy all the personal data; or
- return all the personal data to the controller, or
- return the personal data to the processor designated by the controller.

The controller shall inform the processor of its choice within fifteen/thirty days of the term of this agreement, otherwise all personal data shall be destroyed, without any recourse on the part of the former against the latter. Such return shall be accompanied by the destruction of all copies in the information systems of the processor, who shall justify the destruction in writing.

Article 11

The processor shall provide the controller with the contact details of his data protection officer, if it should appoint one pursuant to Article 37 of the European general data protection regulation. The data protection officer of the processor can be contacted via dpo@easi.net.

Article 12

The controller shall undertake to:

- provide the processor with the information referred to in chapter II of this agreement
- document in writing all instructions concerning the processing of data by the processor
- ensure beforehand and during the entire term of the processing compliance, including by the processor, with the obligations stipulated by the European general data protection regulation;
- supervise the processing.

Article 13

The processor shall be held liable for damage caused by the processing entrusted to it only if it failed to fulfil the obligations stipulated in the European general data protection regulation incumbent specifically on the processors or if it acted outside or contrary to the legal instructions of the controller. It shall be absolved of any liability if it proves that the event which caused the damage can in no way be attributed to it.

Article 14

Neither of the two parties shall be liable to the other for a delay or failure to fulfil its contractual obligations due to one or more reasons beyond its reasonable control, in particular natural disaster, decision of public authorities, war, fire, flood, explosion and civil unrest (the list is not exhaustive). Provided that the party that incurs the delay informs the other party rapidly and in writing of the reason and probable length thereof, the fulfilment of its obligations shall be suspended insofar as said obligations are influenced by the delay, for the period during which the reason for the delay persists.

Article 15

Neither party may transfer the rights and obligations arising out of this agreement without the prior, written consent of the other party, which shall not refuse nor delay granting such consent without reasonable grounds.

Article 16

Any amendment to this agreement shall necessarily be in writing, signed by the person vested with the relevant powers.

Article 17

This agreement shall be governed by Belgian law. Any dispute as to the validity, interpretation, performance, cancellation or termination shall be referred exclusively to the courts of the processor’s registered office. The processor may nonetheless call upon the controller for intervention and guarantee before any other court in charge of ruling on a main action which justifies the involvement of the controller.  

Article 18

About Subcontractors. Rooftop tracks online traffic with Google Analytics and stored customer data in an ActiveCampaign account on top of EASI's own servers.